However, when I extract zpub master public key and add it to watch only wallet in Electrum, I get exactly the same addresses and balances as with .json file. But when I try to sign a transaction by extracting PTSB file, it doesn't work, Coldcard gives error message that wallet signatures don't match.
as you mentioned as
watch only wallet that is impossible to sign a transaction because there isn't key to open it. so that possible PTSB is also doesn't have key to sign. So, what is PTSB?, I just heard today from you.
Can someone explain the difference between .json file and zpub master key. Do they contain exactly the same data in different format or there is a real difference. Also, is there an increased risk by exposing .json file to the public/hackers vs xpub/zpub?
Yes, they do NOT Exactly the same data .json file you can not use for wallet where aren't support it, while zpub master key you can extract it first from a tool that you can get the key to importing to another wallet.
Someone from Coinkite suggested that the issue is probably different paths, but if the paths are different, wouldn't you get different addresses? In my case, I get 2 identical Electrum wallets with exactly same addresses (native segwit). Except when using zpub in Electrum, I can't sign a transaction (different master key fingerprint).
Maybe Coinkite support means not as derivation path, but a other path like .json file. or code.
Like electrum, we can't import private key without code front [p2pkh:, p2wpkh-p2sh:, p2wpkh]